<div> 
<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2526 " id="quads-ad2526" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>
 <h2>&ndash; Using the CVE-2021-26855 Payload</h2><p>After the recent vulnerabilities that hit Exchange Servers On-premises I found sometime to install KaliLinux and try to check what kind of information would I get from the patched servers. </p><div> 
<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2531 " id="quads-ad2531" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>
 </div><div> 
<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2522 " id="quads-ad2522" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>
 </div><div> 
<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2527 " id="quads-ad2527" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>
 </div><p>I downloaded the payloads and tried to run it against couple of clients that I have patched the servers for luckily no authentication was made. </p><p><a href="https://www.moh10ly.com/wp-content/uploads/2021/03/image-1.png"><img width="504" height="235" title="image" style="display: inline; background-image: none;" alt="image" src="https://www.moh10ly.com/wp-content/uploads/2021/03/image_thumb-1.png" border="0"></a> 
</p><div> 
<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2529 " id="quads-ad2529" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>
 </div><h2>&ndash; Using Nikto scanner</h2><p>By using Nikto command from Kali Linux I could see what ; Information could Exchange expose using </p><p>The command line is nikto &ndash;h mail.domain.com and the result of the scan would be exposing the Server&rsquo;s name, local IP address, OWA Version, ; ASP Net platform and version. </p><p><a href="https://www.moh10ly.com/wp-content/uploads/2021/03/image-2.png"><img width="1025" height="451" title="image" style="display: inline; background-image: none;" alt="image" src="https://www.moh10ly.com/wp-content/uploads/2021/03/image_thumb-2.png" border="0"></a></p><p>Since I have my Exchange Server published via HAProxy 1.8 on Pfsense then I had to tweak HAProxy to strengthen the ciphers, make sure that HSTS is in place and deny the headers that expose the server&rsquo;s sensitive information. </p><p>The result is pretty good as it also has affected the server&rsquo;s score on ssllabs.com </p><p>Prior to the tweaking ; my owa scan result on SSL Labs would get an A </p><p><a href="https://www.moh10ly.com/wp-content/uploads/2021/03/image-3.png"><img width="1028" height="389" title="image" style="margin: 0px; display: inline; background-image: none;" alt="image" src="https://www.moh10ly.com/wp-content/uploads/2021/03/image_thumb-3.png" border="0"></a></p><p>
<p></p>
</p><h2>&ndash; Pfsense&rsquo;s HAProxy Settings before</h2><p>Before upgrading Pfsense to the latest version HAProxy was on 1.6 and the ssl/tls settings were also different as they were setup through the Advanced SSL options on the frontend however, now this is no longer supported and you&rsquo;ll have to remove that and set it up on the &ldquo;Global Advanced pass thru&rdquo; in the General setting page.</p><blockquote>
<h6>ssl-default-bind-options ssl-min-ver TLSv1.2</h6>
<h6><font style="font-weight: normal;"><br>
tune.ssl.default-dh-param 2048</font></h6>
<h6><font style="font-weight: normal;"><br>
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK</font></h6>
</blockquote><p><a href="https://www.moh10ly.com/wp-content/uploads/2021/03/image-4.png"><img width="895" height="168" title="image" style="margin: 0px; display: inline; background-image: none;" alt="image" src="https://www.moh10ly.com/wp-content/uploads/2021/03/image_thumb-4.png" border="0"></a></p><p>Right after you save this, you will still need to change another settings on the Frontend to protect your server&rsquo;s information from being exposed.</p><p>In the HAProxy settings Go to Frontend >; Scroll down all the way to &ldquo;Advanced pass thru&rdquo; and paste the following:</p><p><a href="https://www.moh10ly.com/wp-content/uploads/2021/03/image-5.png"><img width="771" height="412" title="image" style="margin: 0px; display: inline; background-image: none;" alt="image" src="https://www.moh10ly.com/wp-content/uploads/2021/03/image_thumb-5.png" border="0"></a></p><blockquote>
<p># Remove headers that expose security-sensitive information.</p>
<p>rspadd X-Frame-Options:\ SAMEORIGIN<br>
rspidel X-FeServer:.*$<br>
rspidel ^Server:.*$<br>
rspidel ^X-Powered-By:.*$<br>
rspidel ^X-AspNet-Version:.*$<br>
rspidel X-WsSecurity-Enabled:.*$<br>
rspidel X-WsSecurity-For:.*$<br>
rspidel X-OAuth-Enabled:.*$<br>
rspadd X-Xss-Protection:\ 1;\ mode=block<br>
rspadd Strict-Transport-Security:\ max-age=31536000;includeSubDomains;preload<br>
rspadd Referrer-Policy:\ no-referrer-when-downgrade<br>
rspidel Request-Id:.*$<br>
rspidel X-RequestId:.*$<br>
rspadd X-Content-Type-Options:\ nosniff</p>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2021/03/image-6.png"><br></a></p>
</blockquote><p>In the below result, I have got almost everything protected well except for the OWA version which can be a bit problematic. In the next article I am going to try and mitigate this so the server can be protected in the expected manner. </p><p><a href="https://www.moh10ly.com/wp-content/uploads/2021/03/image-6.png"><img width="1028" height="277" title="image" style="display: inline; background-image: none;" alt="image" src="https://www.moh10ly.com/wp-content/uploads/2021/03/image_thumb-6.png" border="0"></a></p><p><a href="https://www.moh10ly.com/wp-content/uploads/2021/03/image-7.png"><img width="1028" height="429" title="image" style="display: inline; background-image: none;" alt="image" src="https://www.moh10ly.com/wp-content/uploads/2021/03/image_thumb-7.png" border="0"></a></p><h2>&ndash; The Result</h2><p>Now the server is showing a totally different result and the Nikto scan is not revealing anything anymore. </p><p>SSLabs</p><p><a href="https://www.moh10ly.com/wp-content/uploads/2021/03/image-8.png"><img width="1028" height="472" title="image" style="display: inline; background-image: none;" alt="image" src="https://www.moh10ly.com/wp-content/uploads/2021/03/image_thumb-8.png" border="0"></a></p><p><a title="https://securityheaders.com/" href="https://securityheaders.com/">https://securityheaders.com/</a></p><p>The reason why I got B on security headers is due to the fact that Content-Security-Policy header will malfunction the ECP and OWA Login pages. Permission Policy is new feature and I couldn&rsquo;t find anything about it on HAProxy. </p><p><a href="https://www.moh10ly.com/wp-content/uploads/2021/03/image-9.png"><img width="1028" height="506" title="image" style="display: inline; background-image: none;" alt="image" src="https://www.moh10ly.com/wp-content/uploads/2021/03/image_thumb-9.png" border="0"></a></p><p>I hope this helps</p><p>
<p></p>
</p><p>Refences:</p><p><a title="https://securityheaders.com/" href="https://securityheaders.com/">https://securityheaders.com/</a></p><p><a title="https://www.ssllabs.com/" href="https://www.ssllabs.com/">https://www.ssllabs.com/</a></p><p><a title="https://www.haproxy.com/documentation/aloha/12-0/traffic-management/lb-layer7/http-rewrite/" href="https://www.haproxy.com/documentation/aloha/12-0/traffic-management/lb-layer7/http-rewrite/">https://www.haproxy.com/documentation/aloha/12-0/traffic-management/lb-layer7/http-rewrite/</a></p><div> 
<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2523 " id="quads-ad2523" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>
 </div><p><a title="https://www.net7.be/blog/article/xss_csrf_http_security.html" href="https://www.net7.be/blog/article/xss_csrf_http_security.html">https://www.net7.be/blog/article/xss_csrf_http_security.html</a></p></div>

<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2530 " id="quads-ad2530" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>


Reset and manage your Active Directory users' Passwords Active Directory is one of the most…
Finding Exchange Database hidden mailboxes. Story:Maybe you have been in this situation before, trying to…
If you're using a Proxy server in your firewall or in your network and have…
Story:I got some clients that have reported some of their users being locked out and…
Delegate Permissions This is a code that I have wrote recently to check if an…
Story: I got a request from a client who constantly gets CVs and have to…